Backing Up the Certification Authority (CA)
If you have to recover a server that is running Certificate Services, you must first back up the computer that is the certification authority (CA). Although you can configure a computer to be both the CA and a server that is running Exchange2003, it is better to run Certificate Services on a separate server to make sure that you meet your standards for reliability and performance.
It is recommended that you back up the CA by creating a full computer backup set of your server that is running Certificate Services. If you cannot create a full computer backup set of your server, you can also back up the CA by creating a Windows backup set on the server that is running Certificate Services. (The System State data part of a Windows backup set includes the Certificate Services database.) For more information about how to perform full computer and System State backups, see "Creating Full Computer Backup Sets" and "Creating Windows Backup Sets."
You can also use the Certification Authority Backup Wizard to back up keys, certificates, and the certificates database. You access this wizard from the Certification Authority MMC snap-in. If you use the Certification Authority MMC snap-in to back up the CA, make sure to back up the Internet Information Services (IIS) metabase also. You back up the IIS metabase file when you create a Windows backup set. (The System State data part of a Windows backup set includes the IIS metabase.) You can also use the IIS snap-in to back up the IIS metabase independently.
For more information, see the following resources:
"Backing up and restoring a certification authority" in the Windows Server 2003, Standard Edition Help.
"Backing Up and Restoring the Metabase" in the IIS 6.0 online product documentation.
To use the Backup or Restore Wizard in the Certification Authority MMC snap-in, you must be a Backup Operator or a Certification Authority Administrator, or you must have local administrator permissions on the CA. The Backup or Restore Wizard requires you to supply a password when you back up public keys, private keys, and CA certificates. You must have this password to restore data from the backup.
For more information about using CA and Windows Server 2003 public key infrastructure (PKI) with Exchange 2003, see "Implementing an Exchange 2003-Based Message Security System in a Test Environment" in the Exchange Server 2003 Message Security Guide.